.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "NAMED.CONF" "5" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
named.conf \- configuration file for **named**
.SH SYNOPSIS
.sp
\fBnamed.conf\fP
.SH DESCRIPTION
.sp
\fBnamed.conf\fP is the configuration file for \fI\%named\fP\&.
.sp
For complete documentation about the configuration statements, please refer to
the Configuration Reference section in the BIND 9 Administrator Reference
Manual.
.sp
Statements are enclosed in braces and terminated with a semi\-colon.
Clauses in the statements are also semi\-colon terminated. The usual
comment styles are supported:
.sp
C style: /* */
.sp
C++ style: // to end of line
.sp
Unix style: # to end of line
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
acl <string> { <address_match_element>; ... }; // may occur multiple times

controls {
	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read\-only <boolean> ]; // may occur multiple times
	unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read\-only <boolean> ]; // may occur multiple times
}; // may occur multiple times

dlz <string> {
	database <string>;
	search <boolean>;
}; // may occur multiple times

dnssec\-policy <string> {
	cdnskey <boolean>;
	cds\-digest\-types { <string>; ... };
	dnskey\-ttl <duration>;
	inline\-signing <boolean>;
	keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
	max\-zone\-ttl <duration>;
	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt\-length <integer> ];
	parent\-ds\-ttl <duration>;
	parent\-propagation\-delay <duration>;
	publish\-safety <duration>;
	purge\-keys <duration>;
	retire\-safety <duration>;
	signatures\-refresh <duration>;
	signatures\-validity <duration>;
	signatures\-validity\-dnskey <duration>;
	zone\-propagation\-delay <duration>;
}; // may occur multiple times

dyndb <string> <quoted_string> { <unspecified\-text> }; // may occur multiple times

http <string> {
	endpoints { <quoted_string>; ... };
	listener\-clients <integer>;
	streams\-per\-connection <integer>;
}; // may occur multiple times

key <string> {
	algorithm <string>;
	secret <string>;
}; // may occur multiple times

logging {
	category <string> { <string>; ... }; // may occur multiple times
	channel <string> {
		buffered <boolean>;
		file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
		null;
		print\-category <boolean>;
		print\-severity <boolean>;
		print\-time ( iso8601 | iso8601\-utc | local | <boolean> );
		severity <log_severity>;
		stderr;
		syslog [ <syslog_facility> ];
	}; // may occur multiple times
};

managed\-keys { <string> ( static\-key | initial\-key | static\-ds | initial\-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

options {
	allow\-new\-zones <boolean>;
	allow\-notify { <address_match_element>; ... };
	allow\-proxy { <address_match_element>; ... }; // experimental
	allow\-proxy\-on { <address_match_element>; ... }; // experimental
	allow\-query { <address_match_element>; ... };
	allow\-query\-cache { <address_match_element>; ... };
	allow\-query\-cache\-on { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	allow\-recursion { <address_match_element>; ... };
	allow\-recursion\-on { <address_match_element>; ... };
	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow\-update { <address_match_element>; ... };
	allow\-update\-forwarding { <address_match_element>; ... };
	also\-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	answer\-cookie <boolean>;
	attach\-cache <string>;
	auth\-nxdomain <boolean>;
	automatic\-interface\-scan <boolean>;
	avoid\-v4\-udp\-ports { <portrange>; ... }; // deprecated
	avoid\-v6\-udp\-ports { <portrange>; ... }; // deprecated
	bindkeys\-file <quoted_string>; // test only
	blackhole { <address_match_element>; ... };
	catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
	check\-dup\-records ( fail | warn | ignore );
	check\-integrity <boolean>;
	check\-mx ( fail | warn | ignore );
	check\-mx\-cname ( fail | warn | ignore );
	check\-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
	check\-sibling <boolean>;
	check\-spf ( warn | ignore );
	check\-srv\-cname ( fail | warn | ignore );
	check\-svcb <boolean>;
	check\-wildcard <boolean>;
	clients\-per\-query <integer>;
	cookie\-algorithm ( siphash24 );
	cookie\-secret <string>; // may occur multiple times
	deny\-answer\-addresses { <address_match_element>; ... } [ except\-from { <string>; ... } ];
	deny\-answer\-aliases { <string>; ... } [ except\-from { <string>; ... } ];
	dialup ( notify | notify\-passive | passive | refresh | <boolean> ); // deprecated
	directory <quoted_string>;
	disable\-algorithms <string> { <string>; ... }; // may occur multiple times
	disable\-ds\-digests <string> { <string>; ... }; // may occur multiple times
	disable\-empty\-zone <string>; // may occur multiple times
	dns64 <netprefix> {
		break\-dnssec <boolean>;
		clients { <address_match_element>; ... };
		exclude { <address_match_element>; ... };
		mapped { <address_match_element>; ... };
		recursive\-only <boolean>;
		suffix <ipv6_address>;
	}; // may occur multiple times
	dns64\-contact <string>;
	dns64\-server <string>;
	dnskey\-sig\-validity <integer>; // obsolete
	dnsrps\-enable <boolean>; // not configured
	dnsrps\-library <quoted_string>; // not configured
	dnsrps\-options { <unspecified\-text> }; // not configured
	dnssec\-accept\-expired <boolean>;
	dnssec\-dnskey\-kskonly <boolean>; // obsolete
	dnssec\-loadkeys\-interval <integer>;
	dnssec\-must\-be\-secure <string> <boolean>; // may occur multiple times, deprecated
	dnssec\-policy <string>;
	dnssec\-secure\-to\-insecure <boolean>; // obsolete
	dnssec\-update\-mode ( maintain | no\-resign ); // obsolete
	dnssec\-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
	dnstap\-identity ( <quoted_string> | none | hostname ); // not configured
	dnstap\-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
	dnstap\-version ( <quoted_string> | none ); // not configured
	dual\-stack\-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
	dump\-file <quoted_string>;
	edns\-udp\-size <integer>;
	empty\-contact <string>;
	empty\-server <string>;
	empty\-zones\-enable <boolean>;
	fetch\-quota\-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
	fetches\-per\-server <integer> [ ( drop | fail ) ];
	fetches\-per\-zone <integer> [ ( drop | fail ) ];
	flush\-zones\-on\-shutdown <boolean>;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	fstrm\-set\-buffer\-hint <integer>; // not configured
	fstrm\-set\-flush\-timeout <integer>; // not configured
	fstrm\-set\-input\-queue\-size <integer>; // not configured
	fstrm\-set\-output\-notify\-threshold <integer>; // not configured
	fstrm\-set\-output\-queue\-model ( mpsc | spsc ); // not configured
	fstrm\-set\-output\-queue\-size <integer>; // not configured
	fstrm\-set\-reopen\-interval <duration>; // not configured
	geoip\-directory ( <quoted_string> | none );
	heartbeat\-interval <integer>; // deprecated
	hostname ( <quoted_string> | none );
	http\-listener\-clients <integer>;
	http\-port <integer>;
	http\-streams\-per\-connection <integer>;
	https\-port <integer>;
	interface\-interval <duration>;
	ipv4only\-contact <string>;
	ipv4only\-enable <boolean>;
	ipv4only\-server <string>;
	ixfr\-from\-differences ( primary | master | secondary | slave | <boolean> );
	keep\-response\-order { <address_match_element>; ... }; // obsolete
	key\-directory <quoted_string>;
	lame\-ttl <duration>;
	listen\-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
	listen\-on\-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
	lmdb\-mapsize <sizeval>;
	managed\-keys\-directory <quoted_string>;
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	match\-mapped\-addresses <boolean>;
	max\-cache\-size ( default | unlimited | <sizeval> | <percentage> );
	max\-cache\-ttl <duration>;
	max\-clients\-per\-query <integer>;
	max\-ixfr\-ratio ( unlimited | <percentage> );
	max\-journal\-size ( default | unlimited | <sizeval> );
	max\-ncache\-ttl <duration>;
	max\-records <integer>;
	max\-recursion\-depth <integer>;
	max\-recursion\-queries <integer>;
	max\-refresh\-time <integer>;
	max\-retry\-time <integer>;
	max\-rsa\-exponent\-size <integer>;
	max\-stale\-ttl <duration>;
	max\-transfer\-idle\-in <integer>;
	max\-transfer\-idle\-out <integer>;
	max\-transfer\-time\-in <integer>;
	max\-transfer\-time\-out <integer>;
	max\-udp\-size <integer>;
	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
	memstatistics <boolean>;
	memstatistics\-file <quoted_string>;
	message\-compression <boolean>;
	min\-cache\-ttl <duration>;
	min\-ncache\-ttl <duration>;
	min\-refresh\-time <integer>;
	min\-retry\-time <integer>;
	minimal\-any <boolean>;
	minimal\-responses ( no\-auth | no\-auth\-recursive | <boolean> );
	multi\-master <boolean>;
	new\-zones\-directory <quoted_string>;
	no\-case\-compress { <address_match_element>; ... };
	nocookie\-udp\-size <integer>;
	notify ( explicit | master\-only | primary\-only | <boolean> );
	notify\-delay <integer>;
	notify\-rate <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	notify\-to\-soa <boolean>;
	nsec3\-test\-zone <boolean>; // test only
	nta\-lifetime <duration>;
	nta\-recheck <duration>;
	nxdomain\-redirect <string>;
	parental\-source ( <ipv4_address> | * );
	parental\-source\-v6 ( <ipv6_address> | * );
	pid\-file ( <quoted_string> | none );
	port <integer>;
	preferred\-glue <string>;
	prefetch <integer> [ <integer> ];
	provide\-ixfr <boolean>;
	qname\-minimization ( strict | relaxed | disabled | off );
	query\-source [ address ] ( <ipv4_address> | * );
	query\-source\-v6 [ address ] ( <ipv6_address> | * );
	querylog <boolean>;
	rate\-limit {
		all\-per\-second <integer>;
		errors\-per\-second <integer>;
		exempt\-clients { <address_match_element>; ... };
		ipv4\-prefix\-length <integer>;
		ipv6\-prefix\-length <integer>;
		log\-only <boolean>;
		max\-table\-size <integer>;
		min\-table\-size <integer>;
		nodata\-per\-second <integer>;
		nxdomains\-per\-second <integer>;
		qps\-scale <integer>;
		referrals\-per\-second <integer>;
		responses\-per\-second <integer>;
		slip <integer>;
		window <integer>;
	};
	recursing\-file <quoted_string>;
	recursion <boolean>;
	recursive\-clients <integer>;
	request\-expire <boolean>;
	request\-ixfr <boolean>;
	request\-nsid <boolean>;
	require\-server\-cookie <boolean>;
	resolver\-query\-timeout <integer>;
	resolver\-use\-dns64 <boolean>;
	response\-padding { <address_match_element>; ... } block\-size <integer>;
	response\-policy { zone <string> [ add\-soa <boolean> ] [ log <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only <quoted_string> ) ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ ede <string> ]; ... } [ add\-soa <boolean> ] [ break\-dnssec <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ min\-ns\-dots <integer> ] [ nsip\-wait\-recurse <boolean> ] [ nsdname\-wait\-recurse <boolean> ] [ qname\-wait\-recurse <boolean> ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ dnsrps\-enable <boolean> ] [ dnsrps\-options { <unspecified\-text> } ];
	reuseport <boolean>;
	root\-key\-sentinel <boolean>;
	rrset\-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
	secroots\-file <quoted_string>;
	send\-cookie <boolean>;
	serial\-query\-rate <integer>;
	serial\-update\-method ( date | increment | unixtime );
	server\-id ( <quoted_string> | none | hostname );
	servfail\-ttl <duration>;
	session\-keyalg <string>;
	session\-keyfile ( <quoted_string> | none );
	session\-keyname <string>;
	sig\-signing\-nodes <integer>;
	sig\-signing\-signatures <integer>;
	sig\-signing\-type <integer>;
	sig\-validity\-interval <integer> [ <integer> ]; // obsolete
	sortlist { <address_match_element>; ... };
	stale\-answer\-client\-timeout ( disabled | off | <integer> );
	stale\-answer\-enable <boolean>;
	stale\-answer\-ttl <duration>;
	stale\-cache\-enable <boolean>;
	stale\-refresh\-time <duration>;
	startup\-notify\-rate <integer>;
	statistics\-file <quoted_string>;
	synth\-from\-dnssec <boolean>;
	tcp\-advertised\-timeout <integer>;
	tcp\-clients <integer>;
	tcp\-idle\-timeout <integer>;
	tcp\-initial\-timeout <integer>;
	tcp\-keepalive\-timeout <integer>;
	tcp\-listen\-queue <integer>;
	tcp\-receive\-buffer <integer>;
	tcp\-send\-buffer <integer>;
	tkey\-domain <quoted_string>;
	tkey\-gssapi\-credential <quoted_string>;
	tkey\-gssapi\-keytab <quoted_string>;
	tls\-port <integer>;
	transfer\-format ( many\-answers | one\-answer );
	transfer\-message\-size <integer>;
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	transfers\-in <integer>;
	transfers\-out <integer>;
	transfers\-per\-ns <integer>;
	trust\-anchor\-telemetry <boolean>; // experimental
	try\-tcp\-refresh <boolean>;
	udp\-receive\-buffer <integer>;
	udp\-send\-buffer <integer>;
	update\-check\-ksk <boolean>; // obsolete
	update\-quota <integer>;
	use\-v4\-udp\-ports { <portrange>; ... }; // deprecated
	use\-v6\-udp\-ports { <portrange>; ... }; // deprecated
	v6\-bias <integer>;
	validate\-except { <string>; ... };
	version ( <quoted_string> | none );
	zero\-no\-soa\-ttl <boolean>;
	zero\-no\-soa\-ttl\-cache <boolean>;
	zone\-statistics ( full | terse | none | <boolean> );
};

parental\-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

plugin ( query ) <string> [ { <unspecified\-text> } ]; // may occur multiple times

primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

server <netprefix> {
	bogus <boolean>;
	edns <boolean>;
	edns\-udp\-size <integer>;
	edns\-version <integer>;
	keys <server_key>;
	max\-udp\-size <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	padding <integer>;
	provide\-ixfr <boolean>;
	query\-source [ address ] ( <ipv4_address> | * );
	query\-source\-v6 [ address ] ( <ipv6_address> | * );
	request\-expire <boolean>;
	request\-ixfr <boolean>;
	request\-nsid <boolean>;
	require\-cookie <boolean>;
	send\-cookie <boolean>;
	tcp\-keepalive <boolean>;
	tcp\-only <boolean>;
	transfer\-format ( many\-answers | one\-answer );
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	transfers <integer>;
}; // may occur multiple times

statistics\-channels {
	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
}; // may occur multiple times

tls <string> {
	ca\-file <quoted_string>;
	cert\-file <quoted_string>;
	ciphers <string>;
	dhparam\-file <quoted_string>;
	key\-file <quoted_string>;
	prefer\-server\-ciphers <boolean>;
	protocols { <string>; ... };
	remote\-hostname <quoted_string>;
	session\-tickets <boolean>;
}; // may occur multiple times

trust\-anchors { <string> ( static\-key | initial\-key | static\-ds | initial\-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times

trusted\-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

view <string> [ <class> ] {
	allow\-new\-zones <boolean>;
	allow\-notify { <address_match_element>; ... };
	allow\-proxy { <address_match_element>; ... }; // experimental
	allow\-proxy\-on { <address_match_element>; ... }; // experimental
	allow\-query { <address_match_element>; ... };
	allow\-query\-cache { <address_match_element>; ... };
	allow\-query\-cache\-on { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	allow\-recursion { <address_match_element>; ... };
	allow\-recursion\-on { <address_match_element>; ... };
	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow\-update { <address_match_element>; ... };
	allow\-update\-forwarding { <address_match_element>; ... };
	also\-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	attach\-cache <string>;
	auth\-nxdomain <boolean>;
	catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
	check\-dup\-records ( fail | warn | ignore );
	check\-integrity <boolean>;
	check\-mx ( fail | warn | ignore );
	check\-mx\-cname ( fail | warn | ignore );
	check\-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
	check\-sibling <boolean>;
	check\-spf ( warn | ignore );
	check\-srv\-cname ( fail | warn | ignore );
	check\-svcb <boolean>;
	check\-wildcard <boolean>;
	clients\-per\-query <integer>;
	deny\-answer\-addresses { <address_match_element>; ... } [ except\-from { <string>; ... } ];
	deny\-answer\-aliases { <string>; ... } [ except\-from { <string>; ... } ];
	dialup ( notify | notify\-passive | passive | refresh | <boolean> ); // deprecated
	disable\-algorithms <string> { <string>; ... }; // may occur multiple times
	disable\-ds\-digests <string> { <string>; ... }; // may occur multiple times
	disable\-empty\-zone <string>; // may occur multiple times
	dlz <string> {
		database <string>;
		search <boolean>;
	}; // may occur multiple times
	dns64 <netprefix> {
		break\-dnssec <boolean>;
		clients { <address_match_element>; ... };
		exclude { <address_match_element>; ... };
		mapped { <address_match_element>; ... };
		recursive\-only <boolean>;
		suffix <ipv6_address>;
	}; // may occur multiple times
	dns64\-contact <string>;
	dns64\-server <string>;
	dnskey\-sig\-validity <integer>; // obsolete
	dnsrps\-enable <boolean>; // not configured
	dnsrps\-options { <unspecified\-text> }; // not configured
	dnssec\-accept\-expired <boolean>;
	dnssec\-dnskey\-kskonly <boolean>; // obsolete
	dnssec\-loadkeys\-interval <integer>;
	dnssec\-must\-be\-secure <string> <boolean>; // may occur multiple times, deprecated
	dnssec\-policy <string>;
	dnssec\-secure\-to\-insecure <boolean>; // obsolete
	dnssec\-update\-mode ( maintain | no\-resign ); // obsolete
	dnssec\-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
	dual\-stack\-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
	dyndb <string> <quoted_string> { <unspecified\-text> }; // may occur multiple times
	edns\-udp\-size <integer>;
	empty\-contact <string>;
	empty\-server <string>;
	empty\-zones\-enable <boolean>;
	fetch\-quota\-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
	fetches\-per\-server <integer> [ ( drop | fail ) ];
	fetches\-per\-zone <integer> [ ( drop | fail ) ];
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	ipv4only\-contact <string>;
	ipv4only\-enable <boolean>;
	ipv4only\-server <string>;
	ixfr\-from\-differences ( primary | master | secondary | slave | <boolean> );
	key <string> {
		algorithm <string>;
		secret <string>;
	}; // may occur multiple times
	key\-directory <quoted_string>;
	lame\-ttl <duration>;
	lmdb\-mapsize <sizeval>;
	managed\-keys { <string> ( static\-key | initial\-key | static\-ds | initial\-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	match\-clients { <address_match_element>; ... };
	match\-destinations { <address_match_element>; ... };
	match\-recursive\-only <boolean>;
	max\-cache\-size ( default | unlimited | <sizeval> | <percentage> );
	max\-cache\-ttl <duration>;
	max\-clients\-per\-query <integer>;
	max\-ixfr\-ratio ( unlimited | <percentage> );
	max\-journal\-size ( default | unlimited | <sizeval> );
	max\-ncache\-ttl <duration>;
	max\-records <integer>;
	max\-recursion\-depth <integer>;
	max\-recursion\-queries <integer>;
	max\-refresh\-time <integer>;
	max\-retry\-time <integer>;
	max\-stale\-ttl <duration>;
	max\-transfer\-idle\-in <integer>;
	max\-transfer\-idle\-out <integer>;
	max\-transfer\-time\-in <integer>;
	max\-transfer\-time\-out <integer>;
	max\-udp\-size <integer>;
	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
	message\-compression <boolean>;
	min\-cache\-ttl <duration>;
	min\-ncache\-ttl <duration>;
	min\-refresh\-time <integer>;
	min\-retry\-time <integer>;
	minimal\-any <boolean>;
	minimal\-responses ( no\-auth | no\-auth\-recursive | <boolean> );
	multi\-master <boolean>;
	new\-zones\-directory <quoted_string>;
	no\-case\-compress { <address_match_element>; ... };
	nocookie\-udp\-size <integer>;
	notify ( explicit | master\-only | primary\-only | <boolean> );
	notify\-delay <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	notify\-to\-soa <boolean>;
	nsec3\-test\-zone <boolean>; // test only
	nta\-lifetime <duration>;
	nta\-recheck <duration>;
	nxdomain\-redirect <string>;
	parental\-source ( <ipv4_address> | * );
	parental\-source\-v6 ( <ipv6_address> | * );
	plugin ( query ) <string> [ { <unspecified\-text> } ]; // may occur multiple times
	preferred\-glue <string>;
	prefetch <integer> [ <integer> ];
	provide\-ixfr <boolean>;
	qname\-minimization ( strict | relaxed | disabled | off );
	query\-source [ address ] ( <ipv4_address> | * );
	query\-source\-v6 [ address ] ( <ipv6_address> | * );
	rate\-limit {
		all\-per\-second <integer>;
		errors\-per\-second <integer>;
		exempt\-clients { <address_match_element>; ... };
		ipv4\-prefix\-length <integer>;
		ipv6\-prefix\-length <integer>;
		log\-only <boolean>;
		max\-table\-size <integer>;
		min\-table\-size <integer>;
		nodata\-per\-second <integer>;
		nxdomains\-per\-second <integer>;
		qps\-scale <integer>;
		referrals\-per\-second <integer>;
		responses\-per\-second <integer>;
		slip <integer>;
		window <integer>;
	};
	recursion <boolean>;
	request\-expire <boolean>;
	request\-ixfr <boolean>;
	request\-nsid <boolean>;
	require\-server\-cookie <boolean>;
	resolver\-query\-timeout <integer>;
	resolver\-use\-dns64 <boolean>;
	response\-padding { <address_match_element>; ... } block\-size <integer>;
	response\-policy { zone <string> [ add\-soa <boolean> ] [ log <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only <quoted_string> ) ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ ede <string> ]; ... } [ add\-soa <boolean> ] [ break\-dnssec <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ min\-ns\-dots <integer> ] [ nsip\-wait\-recurse <boolean> ] [ nsdname\-wait\-recurse <boolean> ] [ qname\-wait\-recurse <boolean> ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ dnsrps\-enable <boolean> ] [ dnsrps\-options { <unspecified\-text> } ];
	root\-key\-sentinel <boolean>;
	rrset\-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
	send\-cookie <boolean>;
	serial\-update\-method ( date | increment | unixtime );
	server <netprefix> {
		bogus <boolean>;
		edns <boolean>;
		edns\-udp\-size <integer>;
		edns\-version <integer>;
		keys <server_key>;
		max\-udp\-size <integer>;
		notify\-source ( <ipv4_address> | * );
		notify\-source\-v6 ( <ipv6_address> | * );
		padding <integer>;
		provide\-ixfr <boolean>;
		query\-source [ address ] ( <ipv4_address> | * );
		query\-source\-v6 [ address ] ( <ipv6_address> | * );
		request\-expire <boolean>;
		request\-ixfr <boolean>;
		request\-nsid <boolean>;
		require\-cookie <boolean>;
		send\-cookie <boolean>;
		tcp\-keepalive <boolean>;
		tcp\-only <boolean>;
		transfer\-format ( many\-answers | one\-answer );
		transfer\-source ( <ipv4_address> | * );
		transfer\-source\-v6 ( <ipv6_address> | * );
		transfers <integer>;
	}; // may occur multiple times
	servfail\-ttl <duration>;
	sig\-signing\-nodes <integer>;
	sig\-signing\-signatures <integer>;
	sig\-signing\-type <integer>;
	sig\-validity\-interval <integer> [ <integer> ]; // obsolete
	sortlist { <address_match_element>; ... };
	stale\-answer\-client\-timeout ( disabled | off | <integer> );
	stale\-answer\-enable <boolean>;
	stale\-answer\-ttl <duration>;
	stale\-cache\-enable <boolean>;
	stale\-refresh\-time <duration>;
	synth\-from\-dnssec <boolean>;
	transfer\-format ( many\-answers | one\-answer );
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	trust\-anchor\-telemetry <boolean>; // experimental
	trust\-anchors { <string> ( static\-key | initial\-key | static\-ds | initial\-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
	trusted\-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
	try\-tcp\-refresh <boolean>;
	update\-check\-ksk <boolean>; // obsolete
	v6\-bias <integer>;
	validate\-except { <string>; ... };
	zero\-no\-soa\-ttl <boolean>;
	zero\-no\-soa\-ttl\-cache <boolean>;
	zone\-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times


.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Any of these zone statements can also be set inside the view statement.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type primary;
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow\-update { <address_match_element>; ... };
	also\-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	check\-dup\-records ( fail | warn | ignore );
	check\-integrity <boolean>;
	check\-mx ( fail | warn | ignore );
	check\-mx\-cname ( fail | warn | ignore );
	check\-names ( fail | warn | ignore );
	check\-sibling <boolean>;
	check\-spf ( warn | ignore );
	check\-srv\-cname ( fail | warn | ignore );
	check\-svcb <boolean>;
	check\-wildcard <boolean>;
	checkds ( explicit | <boolean> );
	database <string>;
	dialup ( notify | notify\-passive | passive | refresh | <boolean> ); // deprecated
	dlz <string>;
	dnskey\-sig\-validity <integer>; // obsolete
	dnssec\-dnskey\-kskonly <boolean>; // obsolete
	dnssec\-loadkeys\-interval <integer>;
	dnssec\-policy <string>;
	dnssec\-secure\-to\-insecure <boolean>; // obsolete
	dnssec\-update\-mode ( maintain | no\-resign ); // obsolete
	file <quoted_string>;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	inline\-signing <boolean>;
	ixfr\-from\-differences <boolean>;
	journal <quoted_string>;
	key\-directory <quoted_string>;
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	max\-ixfr\-ratio ( unlimited | <percentage> );
	max\-journal\-size ( default | unlimited | <sizeval> );
	max\-records <integer>;
	max\-transfer\-idle\-out <integer>;
	max\-transfer\-time\-out <integer>;
	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
	notify ( explicit | master\-only | primary\-only | <boolean> );
	notify\-delay <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	notify\-to\-soa <boolean>;
	nsec3\-test\-zone <boolean>; // test only
	parental\-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	parental\-source ( <ipv4_address> | * );
	parental\-source\-v6 ( <ipv6_address> | * );
	serial\-update\-method ( date | increment | unixtime );
	sig\-signing\-nodes <integer>;
	sig\-signing\-signatures <integer>;
	sig\-signing\-type <integer>;
	sig\-validity\-interval <integer> [ <integer> ]; // obsolete
	update\-check\-ksk <boolean>; // obsolete
	update\-policy ( local | { ( deny | grant ) <string> ( 6to4\-self | external | krb5\-self | krb5\-selfsub | krb5\-subdomain | krb5\-subdomain\-self\-rhs | ms\-self | ms\-selfsub | ms\-subdomain | ms\-subdomain\-self\-rhs | name | self | selfsub | selfwild | subdomain | tcp\-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
	zero\-no\-soa\-ttl <boolean>;
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type secondary;
	allow\-notify { <address_match_element>; ... };
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow\-update\-forwarding { <address_match_element>; ... };
	also\-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	check\-names ( fail | warn | ignore );
	checkds ( explicit | <boolean> );
	database <string>;
	dialup ( notify | notify\-passive | passive | refresh | <boolean> ); // deprecated
	dlz <string>;
	dnskey\-sig\-validity <integer>; // obsolete
	dnssec\-dnskey\-kskonly <boolean>; // obsolete
	dnssec\-loadkeys\-interval <integer>;
	dnssec\-policy <string>;
	dnssec\-update\-mode ( maintain | no\-resign ); // obsolete
	file <quoted_string>;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	inline\-signing <boolean>;
	ixfr\-from\-differences <boolean>;
	journal <quoted_string>;
	key\-directory <quoted_string>;
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	max\-ixfr\-ratio ( unlimited | <percentage> );
	max\-journal\-size ( default | unlimited | <sizeval> );
	max\-records <integer>;
	max\-refresh\-time <integer>;
	max\-retry\-time <integer>;
	max\-transfer\-idle\-in <integer>;
	max\-transfer\-idle\-out <integer>;
	max\-transfer\-time\-in <integer>;
	max\-transfer\-time\-out <integer>;
	min\-refresh\-time <integer>;
	min\-retry\-time <integer>;
	multi\-master <boolean>;
	notify ( explicit | master\-only | primary\-only | <boolean> );
	notify\-delay <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	notify\-to\-soa <boolean>;
	nsec3\-test\-zone <boolean>; // test only
	parental\-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	parental\-source ( <ipv4_address> | * );
	parental\-source\-v6 ( <ipv6_address> | * );
	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	request\-expire <boolean>;
	request\-ixfr <boolean>;
	sig\-signing\-nodes <integer>;
	sig\-signing\-signatures <integer>;
	sig\-signing\-type <integer>;
	sig\-validity\-interval <integer> [ <integer> ]; // obsolete
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	try\-tcp\-refresh <boolean>;
	update\-check\-ksk <boolean>; // obsolete
	zero\-no\-soa\-ttl <boolean>;
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type mirror;
	allow\-notify { <address_match_element>; ... };
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow\-update\-forwarding { <address_match_element>; ... };
	also\-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	check\-names ( fail | warn | ignore );
	database <string>;
	file <quoted_string>;
	ixfr\-from\-differences <boolean>;
	journal <quoted_string>;
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	max\-ixfr\-ratio ( unlimited | <percentage> );
	max\-journal\-size ( default | unlimited | <sizeval> );
	max\-records <integer>;
	max\-refresh\-time <integer>;
	max\-retry\-time <integer>;
	max\-transfer\-idle\-in <integer>;
	max\-transfer\-idle\-out <integer>;
	max\-transfer\-time\-in <integer>;
	max\-transfer\-time\-out <integer>;
	min\-refresh\-time <integer>;
	min\-retry\-time <integer>;
	multi\-master <boolean>;
	notify ( explicit | master\-only | primary\-only | <boolean> );
	notify\-delay <integer>;
	notify\-source ( <ipv4_address> | * );
	notify\-source\-v6 ( <ipv6_address> | * );
	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	request\-expire <boolean>;
	request\-ixfr <boolean>;
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	try\-tcp\-refresh <boolean>;
	zero\-no\-soa\-ttl <boolean>;
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type forward;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type hint;
	check\-names ( fail | warn | ignore );
	file <quoted_string>;
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type redirect;
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	dlz <string>;
	file <quoted_string>;
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	max\-records <integer>;
	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type static\-stub;
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	max\-records <integer>;
	server\-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
	server\-names { <string>; ... };
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	type stub;
	allow\-query { <address_match_element>; ... };
	allow\-query\-on { <address_match_element>; ... };
	check\-names ( fail | warn | ignore );
	database <string>;
	dialup ( notify | notify\-passive | passive | refresh | <boolean> ); // deprecated
	file <quoted_string>;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	masterfile\-format ( raw | text );
	masterfile\-style ( full | relative );
	max\-records <integer>;
	max\-refresh\-time <integer>;
	max\-retry\-time <integer>;
	max\-transfer\-idle\-in <integer>;
	max\-transfer\-time\-in <integer>;
	min\-refresh\-time <integer>;
	min\-retry\-time <integer>;
	multi\-master <boolean>;
	primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	transfer\-source ( <ipv4_address> | * );
	transfer\-source\-v6 ( <ipv6_address> | * );
	zone\-statistics ( full | terse | none | <boolean> );
};

.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
zone <string> [ <class> ] {
	in\-view <string>;
};

.ft P
.fi
.UNINDENT
.UNINDENT
.SH FILES
.sp
\fB@sysconfdir@/named.conf\fP
.SH SEE ALSO
.sp
\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%rndc(8)\fP, \fI\%rndc\-confgen(8)\fP, \fI\%tsig\-keygen(8)\fP, BIND 9 Administrator Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2023, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
